Configure Microsoft Entra ID SAML SSO for Synaccess Cloud

This guide explains how to connect Synaccess Cloud to Microsoft Entra ID, formerly Azure Active Directory, using SAML 2.0.

Prerequisites

  • A Synaccess Cloud enterprise administrator account.
  • A Microsoft Entra administrator role that can create and configure enterprise applications. Microsoft documents Cloud Application Administrator, Application Administrator, or owner of the service principal for SSO setup.
  • Users must either already exist in Synaccess Cloud with matching email addresses, or just-in-time provisioning must be enabled for the Synaccess enterprise.
  • Keep at least one break-glass administrator account available before enforcing SSO-only sign-in.

Field Mapping

Copy these values from Synaccess Cloud into Microsoft Entra ID:

Synaccess Cloud valueMicrosoft Entra field
Assertion Consumer Service (ACS) URLReply URL (Assertion Consumer Service URL)
Service Provider Entity IDIdentifier (Entity ID)

Copy these values from Microsoft Entra ID back into Synaccess Cloud:

Microsoft Entra valueSynaccess Cloud field
Microsoft Entra IdentifierIdentity Provider Issuer
Login URLSAML SSO Login URL
Certificate (Base64)SAML certificate

Synaccess Cloud does not currently use the Entra Logout URL.

Step 1: Copy Synaccess Cloud SAML Values

  1. Sign in to Synaccess Cloud as an enterprise administrator.
  2. Go to Team > SAML.
  3. Copy the Assertion Consumer Service (ACS) URL.
  4. Copy the Service Provider Entity ID.

The ACS URL is where Entra posts the SAML response. It is enterprise-specific and uses this shape:

https://cloud.synaccess.com/sso/saml/<enterprise_id>

The Service Provider Entity ID is the Synaccess Cloud application origin for the environment:

https://cloud.synaccess.com

Do not use the Microsoft Entra Identifier as the Identifier (Entity ID) in Entra. Entra's Identifier field is asking for the Synaccess service provider entity ID.

Step 2: Create the Entra Enterprise Application

  1. Open the Microsoft Entra admin center or Azure portal.
  2. Go to Entra ID > Enterprise apps > New application.
  3. Select Create your own application.
  4. Enter a recognizable name, such as Synaccess Cloud.
  5. Select Integrate any other application you don't find in the gallery (Non-gallery).
  6. Select Create.

This enterprise application flow is the correct path for a custom SAML integration. Do not use App registrations for this setup unless you are building an OAuth/OIDC application instead.

Step 3: Assign Users or Groups

  1. Open the new enterprise application.
  2. Go to Users and groups.
  3. Select Add user/group.
  4. Assign the users, or groups if your tenant licensing and policy allow group assignment.

For initial testing, assign one known test user whose Synaccess Cloud email address exactly matches the SAML Name ID you will send from Entra.

Step 4: Configure SAML in Entra

  1. In the enterprise application, go to Single sign-on.
  2. Select SAML.
  3. In Basic SAML Configuration, select Edit.
  4. Set Identifier (Entity ID) to the Synaccess Cloud Service Provider Entity ID.
  5. Set Reply URL (Assertion Consumer Service URL) to the Synaccess Cloud ACS URL.
  6. Leave Relay State and Logout URL blank unless you have a specific policy requiring them.
  7. Leave Sign on URL blank for the basic Synaccess setup. If your tenant requires a value or you want the app tile to open Synaccess Cloud, use the Synaccess sign-in URL, such as https://cloud.synaccess.com/saml-login.
  8. Save the configuration.

For Synaccess Cloud, the required Basic SAML Configuration values are Identifier (Entity ID) and Reply URL. Sign on URL is optional and is not the ACS URL.

Step 5: Configure Attributes and Claims

Synaccess Cloud uses the SAML Name ID as the user's email address. The backend looks up the returned Name ID against the user's Synaccess Cloud email.

  1. In the SAML setup page, open Attributes & Claims.
  2. Edit Unique User Identifier (Name ID).
  3. Set the identifier format to Email address when available.
  4. Set Source attribute to the value that matches the user's Synaccess Cloud email:
    • Use user.mail when the Entra mail field is populated and matches the Synaccess Cloud email.
    • Use user.userprincipalname only when the user's UPN is the same value used as their Synaccess Cloud email.
  5. Save the claim.

The default additional claims for email address, given name, surname, and name can remain. Synaccess Cloud does not currently require those additional claims for SAML login.

Do not use objectid, pairwiseid, or another stable opaque identifier as Name ID unless Synaccess Cloud user records are changed to store and match that identifier. Today, Synaccess expects an email-like Name ID.

Step 6: Download the Signing Certificate

  1. Return to the Entra SAML setup page.
  2. In SAML Certificates, download Certificate (Base64).
  3. Open the downloaded certificate in a text editor.
  4. Copy the full certificate into Synaccess Cloud's SAML certificate field.

The certificate may include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Keep them if they are present. Do not paste a private key.

Track the certificate expiration date. When the Entra token-signing certificate expires or is rotated, update the certificate in Synaccess Cloud before users depend on the new certificate.

Step 7: Copy Entra Values into Synaccess Cloud

In the Set up section of the Entra SAML page, copy:

  1. Microsoft Entra Identifier.
  2. Login URL.

Then return to Synaccess Cloud > Team > SAML:

  1. Paste Microsoft Entra Identifier into Identity Provider Issuer.
  2. Paste Login URL into SAML SSO Login URL.
  3. Paste the downloaded certificate into SAML certificate.
  4. Save changes.
  5. Enable SAML access.

After a successful test, decide whether to enable Require SSO for sign-in in Synaccess Cloud team settings. Do this only after confirming at least one administrator can still get in.

Step 8: Test the Login Flow

For the most reliable test, use a private browser window.

  1. Go to the Synaccess Cloud SAML login page, such as https://cloud.synaccess.com/saml-login.
  2. Enter the assigned user's email address.
  3. Synaccess Cloud redirects the browser to Entra with a SAML authentication request.
  4. Sign in with Microsoft credentials.
  5. Entra posts the SAML response back to the Synaccess ACS URL.
  6. Synaccess Cloud signs the user in if the Name ID matches an existing user, or if just-in-time provisioning is enabled and allowed for the enterprise.

You can also test from the Entra SAML page, but Synaccess-initiated login is usually the cleaner test because Synaccess generates the SAML request and includes its expected Name ID policy.

Corrections and Clarifications

  • Basic SAML Configuration: yes, for Synaccess Cloud the required values are Identifier (Entity ID) and Reply URL (ACS URL). Sign on URL is optional.
  • Identifier (Entity ID): use the Synaccess Cloud Service Provider Entity ID, not the Microsoft Entra Identifier.
  • Reply URL: use the Synaccess Cloud ACS URL exactly as shown.
  • Unique User Identifier (Name ID): user.mail is correct only if it matches the Synaccess Cloud email for every assigned user. Otherwise use the Entra attribute that does match.
  • Certificate: pasting the full Base64 certificate with or without PEM begin/end lines is acceptable in the current Synaccess configuration. Prefer keeping the downloaded file's original format.
  • Synaccess Identity Provider Issuer: use Microsoft Entra Identifier.
  • Synaccess SAML SSO Login URL: use Entra Login URL.
  • Logout URL: not used by Synaccess Cloud today.

Troubleshooting

SymptomLikely causeWhat to check
Entra says the reply URL is invalid or mismatchedThe ACS URL in Entra does not exactly match Synaccess CloudCheck scheme, host, path, enterprise ID, and trailing slash
Synaccess shows Unauthorized after Entra redirects backName ID does not match a Synaccess user and JIT provisioning is offInspect the Name ID claim and the user's Synaccess Cloud email
User can authenticate in Entra but cannot access the appUser is not assigned or app assignment policy blocks accessCheck Users and groups and Entra sign-in logs
SAML login fails after certificate rotationSynaccess has the old Entra signing certificateDownload the current Entra certificate and update Synaccess
Direct Entra Login URL does not work as a bookmarkRaw IdP URL lacks Synaccess's SP-initiated request contextStart from https://cloud.synaccess.com/saml-login
Local testing redirects to the wrong host after first-time JIT provisioningCurrent code has a hard-coded production redirect in one JIT pathTest with an existing user or verify in production before relying on local JIT behavior

References